This document describes a technique for upgrading a DNS TCP connection to use Transport Layer Security (TLS) over standard ports. Encryption provided by DNS-over-TLS eliminates opportunities for eavesdropping of DNS queries in the network. The proposed mechanism is backwards compatible with clients and servers that are not aware of DNS-over-TLS.

DNS messages between clients and servers may be received over either UDP or TCP. UDP transport involves keeping less state on a busy server, but can cause truncation and retries over TCP. Additionally, UDP can be exploited for reflection attacks. Using TCP would reduce retransmits and amplification. However, clients are currently limited in their use of the TCP transport as RFC 5966 suggests closing idle TCP sessions "in the order of seconds", making use of TCP only suitable for individual queries generated as a fallback protocol for truncated UDP answers. This document defines an EDNS0 option ("edns-tcp-keepalive") that allows DNS clients and servers to signal their respective readiness to conduct multiple DNS transactions over individual TCP sessions. This signalling facilitates a better balance of UDP and TCP transport between individual clients and servers, reducing the impact of problems associated with UDP transport and allowing the state associated with TCP transport to be managed effectively with minimal impact on the DNS transaction time.

Suggests use of cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 with EC Brainpool P-256, brainpoolp256r1 [RFC7027]), and fall back to the commonly used NIST P-256 (secp256r1) curve [RFC4492]. Note: OpenSSL calls secp256r1 prime256v1 and you need OpenSSL 1.0.2-beta1 to get brainpoolp256r1